GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  PAM_PER_USER (5)

NAME

pam_per_user - PAM module for calling per-user authentication mechanisms

CONTENTS

Synopsis
Description
Options
Example
Notes
Files
See Also
Author

SYNOPSIS

/usr/local/lib/security/pam_per_user.so.1

DESCRIPTION

pam_per_user is a shared library which gets dynamically loaded into the PAM framework. It allows the selection of authentication mechanism on a per-user basis for PAM-aware applications.

The pam_per_user module reads a map file to determine what mechanism to use for the user being authenticated. The map file consists of lines of the following format:
[type=]key : service_name
Text beginning with a ’#’ is ignored through the next newline. Blank lines and incomplete lines are also ignored.

The optional type field indicates what type of match should be done against key. Supported types are:

USER Perform a simple string comparison of the key and the user.
If key is "*", then the entry will be used as a fallback match. In other words, pam_per_user will save this entry and continue reading the map file. If a later entry matches, that match will be returned. However, if no other entries match, the fallback entry will be used. This allows a default mechanism to be selected for users which are not explicitly listed.
GROUP Checks to see whether the user is a member of group key.
If no type field is specified for a given entry, the default type is USER.

Once the map file has been read, pam_per_user creates a new PAM handle using the resulting service name. The requested PAM function is then called and the value is returned to the caller. This recursive use of PAM is transparent to the calling application.

The following special tokens can be specified in the map file instead of a PAM service name. They cause pam_per_user to return an immediate result without recursively calling PAM:

@FAIL Causes pam_per_user to return PAM_AUTH_ERR.
@SUCCEED
  Causes pam_per_user to return PAM_SUCCESS.
@IGNORE
  Causes pam_per_user to return PAM_IGNORE.

OPTIONS

The pam_per_user module accepts an optional argument which sets the name of the external file that will be read. If no filename is not specified, /etc/pam_per_user.map will be read.

EXAMPLE

Say that you want to use the pam_pseudo module to allow users to su to a special pseudo-user account called foo, you want to prevent people from suing to root, and you want members of the "wheel" group to authenticate via radius, but you do not want to modify the behavior for other accounts. To do this, create the file /etc/pam_per_user.map with the following content:
foo : su-pseudo
root : @FAIL
GROUP=wheel : radius
* : su-default
Then, rename the su entries in /etc/pam.conf to su-default and add the following new entries:
su auth required /usr/local/lib/security/pam_per_user.so.1
su-pseudo auth required /usr/local/lib/security/pam_pseudo.so.1
radius auth require /usr/local/lib/security/pam_radius_auth.so.1

NOTES

Because pam_per_user creates a new PAM handle to authenticate the user with an alternate service name, it is possible to create an infinite loop by recursively calling pam_per_user. No checking is done to prevent this from happening, so the administrator must take care to avoid it.

FILES

/etc/pam_per_user.map
/etc/pam.conf

SEE ALSO

pam(3), pam.conf(4)

AUTHOR

Mark D. Roth <roth@feep.net>
Search for    or go to Top of page |  Section 5 |  Main Index


Feep Networks PAM_PER_USER (5) Aug 2005

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.